Skip to content

Commit 3061400

Browse files
gahaasV8-internal LUCI CQ
gahaas
authored and
V8-internal LUCI CQ
committed
[rebase] Delete code re-introduced by rebase to main
findOrGenerateArguments is supposed to use findOrGenerateType, as there is unnecessary code sharing otherwise. In the wasm branch, this was already fixed, but when it got rebased to main, the fix was undone again. Change-Id: I651e3c8c150a85e550752559cdf6eab432fe4b9b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/7967835 Commit-Queue: Andreas Haas <[email protected]> Reviewed-by: Carl Smith <[email protected]>
1 parent 6e464de commit 3061400

File tree

1 file changed

+0
-97
lines changed

1 file changed

+0
-97
lines changed

Sources/Fuzzilli/Base/ProgramBuilder.swift

Lines changed: 0 additions & 97 deletions
Original file line numberDiff line numberDiff line change
@@ -505,103 +505,6 @@ public class ProgramBuilder {
505505

506506
private func findOrGenerateArgumentsInternal(forSignature: Signature) -> [Variable] {
507507
var args: [Variable] = []
508-
509-
// This should be called whenever we have a type that has known information about its properties but we don't have a constructor for it.
510-
// This can be the case for configuration objects, e.g. objects that can be passed into DOMAPIs.
511-
func createObjectWithProperties(_ type: ILType) -> Variable {
512-
assert(type.MayBe(.object()))
513-
514-
// Before we do any generation below, let's take into account that we already create a variable with this invocation, i.e. the createObject at the end.
515-
// Therefore we need to decrease the budget here temporarily.
516-
self.argumentGenerationVariableBudget! -= 1
517-
// We defer the increase again, because at that point the variable is actually visible, i.e. `numVariables` was increased through the `createObject` call.
518-
defer { self.argumentGenerationVariableBudget! += 1 }
519-
520-
var properties: [String: Variable] = [:]
521-
522-
for propertyName in type.properties {
523-
// If we have an object that has a group, we should get a type here, otherwise if we don't have a group, we will get .anything.
524-
let propType = fuzzer.environment.type(ofProperty: propertyName, on: type)
525-
properties[propertyName] = generateType(propType)
526-
}
527-
528-
return createObject(with: properties)
529-
}
530-
531-
func createObjectWithGroup(type: ILType) -> Variable {
532-
let group = type.group!
533-
534-
// We can be sure that we have such a builtin with a signature because the Environment checks this during initialization.
535-
let signature = fuzzer.environment.type(ofBuiltin: group).signature!
536-
let constructor = createNamedVariable(forBuiltin: group)
537-
let arguments = findOrGenerateArgumentsInternal(forSignature: signature)
538-
let constructed = construct(constructor, withArgs: arguments)
539-
540-
return constructed
541-
}
542-
543-
func generateType(_ type: ILType) -> Variable {
544-
if probability(0.5) {
545-
if let existingVariable = randomVariable(ofType: type) {
546-
return existingVariable
547-
}
548-
}
549-
550-
if numVariables >= argumentGenerationVariableBudget! {
551-
logger.warning("Reached variable generation limit in generateType for Signature: \(argumentGenerationSignature!), returning a random variable for use as type \(type).")
552-
return randomVariable(forUseAs: type)
553-
}
554-
555-
// We only need to check against all base types from TypeSystem.swift, this works because we use .MayBe
556-
// TODO: Not sure how we should handle merge types, e.g. .string + .object(...).
557-
let typeGenerators: [(ILType, () -> Variable)] = [
558-
(.integer, { return self.loadInt(self.randomInt()) }),
559-
(.string, { return self.loadString(self.randomString()) }),
560-
(.boolean, { return self.loadBool(probability(0.5)) }),
561-
(.bigint, { return self.loadBigInt(self.randomInt()) }),
562-
(.float, { return self.loadFloat(self.randomFloat()) }),
563-
(.regexp, {
564-
let (pattern, flags) = self.randomRegExpPatternAndFlags()
565-
return self.loadRegExp(pattern, flags)
566-
}),
567-
(.iterable, { return self.createArray(with: self.randomVariables(upTo: 5)) }),
568-
(.function(), {
569-
// TODO: We could technically generate a full function here but then we would enter the full code generation logic which could do anything.
570-
// Because we want to avoid this, we will just pick anything that can be a function.
571-
return self.randomVariable(forUseAs: .function())
572-
}),
573-
(.undefined, { return self.loadUndefined() }),
574-
(.constructor(), {
575-
// TODO: We have the same issue as above for functions.
576-
return self.randomVariable(forUseAs: .constructor())
577-
}),
578-
(.object(), {
579-
// If we have a group on this object and we have a builtin, that means we can construct it with new.
580-
if let group = type.group, self.fuzzer.environment.hasBuiltin(group) && self.fuzzer.environment.type(ofBuiltin: group).Is(.constructor()) {
581-
return createObjectWithGroup(type: type)
582-
} else {
583-
// Otherwise this is one of the following:
584-
// 1. an object with more type information, i.e. it has a group, but no associated builtin, e.g. we cannot construct it with new.
585-
// 2. an object without a group, but it has some required fields.
586-
// In either case, we try to construct such an object.
587-
return createObjectWithProperties(type)
588-
}
589-
})
590-
]
591-
592-
// Make sure that we walk over these tests and their generators randomly.
593-
// The requested type could be a Union of other types and as such we want to randomly generate one of them, therefore we also use the MayBe test below.
594-
for (t, generate) in typeGenerators.shuffled() {
595-
if type.MayBe(t) {
596-
let variable = generate()
597-
return variable
598-
}
599-
}
600-
601-
logger.warning("Type \(type) was not handled, returning random variable.")
602-
return randomVariable(forUseAs: type)
603-
}
604-
605508
outer: for parameter in forSignature.parameters {
606509
switch parameter {
607510
case .plain(let t):

0 commit comments

Comments
 (0)